ThreatFox IOC Database
You are viewing the ThreatFox database entry for domain merluis-beta.pages.dev.
Database Entry
| IOC ID: | 1785150 |
|---|---|
| IOC: | merluis-beta.pages.dev |
| IOC Type : | domain |
| Threat Type : | payload_delivery |
| Malware: | Unknown RAT |
| Confidence Level : | Confidence level is elevated (75%) |
| Is compromised? : | False |
| ASN: | AS13335 CLOUDFLARENET |
| Country: |  US |
| First seen: | 2026-04-13 12:58:20 UTC |
| Last seen: | never |
| UUID: | 4c857ef8-372f-11f1-8759-42010aa4000a |
| Reporter |  Omaha |
| Reward | 5 credits from ThreatFox |
| Tags: | cloudflare-pages fake-game infostealer phishing RAT ZKM-Stealer |
| Reference: | https://tria.ge/260407-s8dpgahs5l/behavioral1 |
Omaha
Active malware distribution site for ZKM Stealer 26.0.0.Hosted on Cloudflare Pages. Part of ongoing fake game
social engineering campaign (Try My Beta Game) active
since October 2025. Victims directed here via compromised
accounts on online messaging platforms.
Site presents as fake game download page directing
victims to download malicious NSIS installer
Merluis-Setup-2.0.0.exe bundled with Java RAT.
Original site merluis.pages.dev was taken down following
abuse report to Cloudflare. This is the replacement
spawn site confirmed active April 13 2026.
SHA256 of distributed payload:
bd3997c44f1820eccc6574ee003bf5319b6a27d28e782937271c6ae190af024d
Law enforcement notified:
FBI IC3: fad477e92b9f4692b96be4eac6236d20
CISA: CCASE0175447